Information Hiding in Probabilistic Concurrent Systems

Transcription

1 Information Hiding in Probabilistic Concurrent Systems Miguel Andrés, Catuscia Palamidessi, Peter Van Rossum, Ana Sokolova To cite this version: Miguel Andrés, Catuscia Palamidessi, Peter Van Rossum, Ana Sokolova. Information Hiding in Probabilistic Concurrent Systems. 7th IEEE International Conference on Quantitative Evaluation of SysTems (QEST 00), Sep 00, Williamsburg, VA, United States. IEEE Computer Society, pp.7-6, 00, <0.09/QEST.00.>. <hal > HAL Id: hal Submitted on 9 Dec 00 HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

2 Information Hiding in Probabilistic Concurrent Systems Miguel E. Andrés, Catuscia Palamidessi, Peter van Rossum, and Ana Sokolova 3. Institute for Computing and Information Sciences, The Netherlands. INRIA and LIX, École Polytechnique Palaiseau, France. 3 Department of Computer Sciences, University of Salzburg, Austria Abstract Information hiding is a general concept which refers to the goal of preventing an adversary to infer secret information from the observables. Anonymity and Information Flow are examples of this notion. We study the problem of information hiding in systems characterized by the presence of randomization and concurrency. It is well known that the raising of nondeterminism, due to the possible interleavings and interactions of the parallel components, can cause unintended information leaks. One way to solve this problem is to fix the strategy of the scheduler beforehand. In this work, we propose a milder restriction on the schedulers, and we ine the notion of strong (probabilistic) information hiding under various notions of observables. Furthermore, we propose a method, based on the notion of automorphism, to verify that a system satisfies the property of strong information hiding, namely strong anonymity or no-interference, depending on the context. I. INTRODUCTION The problem of information hiding consists in trying to prevent the adversary to infer confidential information from the observables. Instances of this issue are Anonymity and Information Flow. In both fields there is a growing interest in the quantitative aspects, see for instance [0], [], [0], [], [8], [3]. This is justified by the fact that often we have some a priori knowledge about the likelihood of the various secrets, and by the fact that protocols often use randomized actions to obfuscate the link between secret and observable, like in anonymity protocols such as the DC Nets [9], Crowds [6], Onion Routing [3], and Freenet []. In a concurrent setting, like in the case of multi-agent systems, there is also another source of uncertainty, which derives from the fact that the various entities may interleave and interact in ways that are usually unpredictable, either because they depend on factors that are too complex to analyze, or because (in the case of specifications) they are implementation-dependent. This uncertainty is commonly modeled as nondeterminism. The formal analysis of systems which exhibit probabilistic and nondeterministic behavior usually involves the use of schedulers, which are functions that select, for each path, only one possible (probabilistic) transition, thus delivering a purely probabilistic execution tree. In the area of security, there is the problem that among all possible schedulers there are also those which take different The work of Catuscia Palamidessi has been partially supported by the project ANR-09-BLAN PANDA and by the INRIA DRI Equipe Associée PRINTEMPS. decisions depending on the secret values, and these decisions may induce different observable behaviors, thus leaking the secret. Hence the security properties are usually violated if we consider all possible schedulers: obviously secure protocols are not secure anymore. This is a well known problem for which various solutions have already been proposed. We will come back to these in the Related work section. A. Contribution The main contribution of this work consists in the following: We ine a class of partial-information schedulers, which we call admissible. These are a restricted version of the standard (full-information) schedulers. The restriction is rather flexible and has strong structural properties, which facilitate the reasoning about security properties. In short, our systems consist of parallel components with certain restrictions on the secret and nondeterministic choices. The scheduler selects the next component (or components, in case of synchronization) for the subsequent step independently of the secret choices. We then formalize the notion of quantitative information leakage under this restricted notion of scheduler. We propose alternative initions to the property of strong anonymity ined in []. The differences of our proposal are: () the system should be strongly anonymous for all admissible schedulers instead of all schedulers, and () we consider several variants of adversaries, namely (in increasing level of power): external adversaries, internal adversaries, and adversaries in collusion with the scheduler. Additionally, we use admissible schedulers to extend the notions of multiplicative [3] and additive leakage [3] to the case of concurrent system. We propose a sufficient technique to prove probabilistic strong anonymity, and probabilistic noninterference, based on automorphisms. The idea is the following: In the purely nondeterministic setting, the strong anonymity of a system is often ined and proved as follows: take two usersaandb and a trace in which user A is the culprit. Now find a trace that looks the same to the adversary, but in which user B is the culprit [0], [6], [3], []. This new trace is often most easily obtained by switching the behavior of A and B. Non-interference can be proved in the same way (where A and B are high information and the trace is the low information).

3 In this work, we develop this technique for systems where probability and nondeterminism coexist, and we need to cope with the restrictions on the schedulers. We formalize the notion of switching the behaviors ofaandb in terms of the existence of an automorphism between A and B, and then we show that the existence of an automorphism implies strong anonymity. We use the Dining Cryptographers [9] to illustrate the problem caused by full-information schedulers, our solution based on admissible schedulers, and our proving technique. B. Related Work The problem of the full-information scheduler has already been extensively investigated in literature. The works [4] and [5] consider probabilistic automata and introduce a restriction on the scheduler to the purpose of making them suitable to applications in security. Their approach is based on dividing the actions of each component of the system in equivalence classes (tasks). The order of execution of different tasks is decided in advance by a so-called task scheduler. The remaining nondeterminism within a task is resolved by a second scheduler, which models the standard adversarial scheduler of the cryptographic community. This second entity has limited knowledge about the other components: it sees only the information that they communicate during execution. Their notion of task scheduler is similar to our notion of admissible scheduler, but more restricted since the strategy of the task scheduler is decided entirely before the execution. The work in [7], [6] is similar to ours in spirit, but in a sense dual from a technical point of view. Instead of ining a restriction on the class of schedulers, they provide a way to specify that a choice is transparent to the scheduler. They achieve this by introducing labels in process terms, used to represent both the states of the execution tree and the next action or step to be scheduled. They make two states indistinguishable to schedulers, and hence the choice between them private, by associating to them the same label. Furthermore, their equivalence classes (schedulable actions with the same label) can change dynamically, because the same action can be associated to different labels during the execution. In [] we extend the framework presented here by allowing internal nondeterminism and adding a second type of scheduler to resolve it, to the aim of investigating angelic vs demonic nondeterminism in equivalence-based properties. The fact that full-information schedulers are unrealistic has also been observed in fields other than security. First attempts used restricted schedulers in order to obtain rules for compositional reasoning [4]. The justification for those restricted schedulers is the same as for ours, namely, that not all information is available to all entities in the system. However that work considers a synchronous parallel composition, so the setting is rather different from ours. Later on, it was shown that model checking is unfeasible in its general form for the restricted schedulers in [4] (see [8] and, more recently, [7]). Despite of undecidability, not all results concerning such schedulers have been negative as, for instance, the technique of partial-order reduction can be improved by assuming that schedulers can only use partial information [9]. To the best of our knowledge, this is the first work using automorphisms as a sound proof technique to prove strong anonymity and non-interference. The closest line of work we are aware of is in the field of model checking, where isomorphisms have been used to identify symmetries in the system and exploited to alleviate the state space explosion (see for instance []). C. Plan of the paper Looking ahead, after reviewing some preliminaries (Section II) we formalize the notions of systems and components (Section III). In Section IV we present admissible schedulers. We then formalize the notions of internal and external strong anonymity in a probabilistic and nondeterministic setting for admissible schedulers (Section V). Finally, we turn our attention to the verification problem, in Section VI we present a strong-anonymity proving technique based on automorphisms. We conclude and outline some future work in Section VII. II. PRELIMINARIES In this section we gather preliminary notions and results related to probabilistic automata [9], [8]. A. Probabilistic automata A function µ: Q [0,] is a discrete probability distribution on a set Q if q Q µ(q) =. The set of all discrete probability distributions on Q is denoted by D(Q). A probabilistic automaton is a quadruple M = (Q,Σ,ˆq,θ) where Q is a countable set of states, Σ a finite set of actions, ˆq the initial state, and θ a transition function θ : Q P(D(Σ Q)). Here P(X) is the set of all subsets of X. If θ(q) =, then q is a terminal state. We write q µ for µ θ(q), q Q. Moreover, we write q r a for q,r Q whenever q µ and µ(a, r) > 0. A fully probabilistic automaton is a probabilistic automaton satisfying θ(q) for all states. In case θ(q) in a fully probabilistic automaton, we will overload notation and use θ(q) to denote the distribution outgoing from q. A path in a probabilistic automaton is a a sequence σ = q a 0 q where qi Q, a i Σ and a i+ q i qi+. A path can be finite in which case it ends with a state. A path is complete if it is either infinite or finite ending in a terminal state. Given a path σ, first(σ) denotes its first state, and if σ is finite then last(σ) denotes its last state. A cycle is a path σ such that last(σ) = first(σ). Let Paths q (M) denote the set of all paths, Paths q(m) the set of all finite paths, and CPaths q (M) the set of all complete paths of an automaton M, starting from the state q. We will omit q if q = ˆq. Paths are ordered by the prefix relation, which we denote by. The trace of a path is the sequence of actions in Σ Σ obtained by removing the states, hence for the above path σ we have trace(σ) = a a... If Σ Σ, then trace Σ (σ) is the projection of trace(σ) on the elements of Σ. Let M = (Q,Σ,ˆq,θ) be a (fully) probabilistic automaton, q Q a state, and let σ Paths q(m) be a finite path

4 starting in q. The cone generated by σ is the set of complete paths σ = {σ CPaths q (M) σ σ }. Given a fully probabilistic automaton M = (Q,Σ,ˆq,θ) and a state q, we can calculate the probability value, denoted by P q (σ), of any finite path σ starting in q as follows: P q (q) = and P q (σ a q ) = P q (σ) µ(a,q ), where last(σ) µ. Let Ω q = CPaths q (M) be the sample space, and let F q be the smallest σ-algebra generated by the cones. Then P q induces a unique probability measure on F q (which we will also denote byp q ) such that P q ( σ ) = P q (σ) for every finite path σ starting in q. For q = ˆq we write P instead of Pˆq. A (full-information) scheduler for a probabilistic automaton M is a functionζ: Paths (M) (D(Σ Q) { }) such that for all finite paths σ, if θ(last(σ)) then ζ(σ) θ(last(σ)), and ζ(σ) = otherwise. Hence, a scheduler ζ selects one of the available transitions in each state, and determines therefore a fully probabilistic automaton, obtained by pruning from M the alternatives that are not chosen by ζ. Note that a scheduler is history dependent since it can take different decisions for the same state s according to the past evolution of the system. B. Noisy Channels This section briefly recalls the notion of noisy channels from Information Theory [3]. A noisy channel is a tuple C = (X,Y,P( )) where X = {x,x,...,x n } is a finite set of input values, modeling the secrets of the channel, and Y = {y,y,...,y m } is a finite set of output values, the observables of the channel. For x i X and y j Y, P(y j x i ) is the conditional probability of obtaining the outputy j given that the input isx i. These conditional probabilities constitute the so called channel matrix, wherep(y j x i ) is the element at the intersection of the i-th row and the j-th column. For any input distribution P X on X, P X and the channel matrix determine a joint probability P on X Y, and the corresponding marginal probability P Y on Y (and hence a random variable Y ). P X is also called a priori distribution and it is often denoted byπ. The probability of the input given the output is called a posteriori distribution. inition is based on the principle that the adversary will choose the secret with the highest a posteriori probability. Note that, using Bayes theorem, we can write the a posteriori vulnerability in terms of the channel matrix and the a priori distribution, or in terms of the joint probability: V(X Y)= y Ymax (P(y x)p X(x))= max P (x,y) x X x X y Y The multiplicative leakage is L (C,P X ) = V(X Y) V(X) whereas the additive leakage is L + (C,P X ) = V(X Y) V(X). D. Dining Cryptographers This problem, described by Chaum in [9], involves a situation in which three cryptographers are dining together. At the end of the dinner, each of them is secretly informed by a central agency (master) whether he should pay the bill, or not. So, either the master will pay, or one of the cryptographers will be asked to pay. The cryptographers (or some external observer) would like to find out whether the payer is one of them or the master. However, if the payer is one of them, they also wish to maintain anonymity over the identity of the payer. A possible solution to this problem, described in [9], is that each cryptographer tosses a coin, which is visible to himself and his neighbor to the left. Each cryptographer observes the two coins that he can see and announces agree or disagree. If a cryptographer is not paying, he will announce agree if the two sides are the same and disagree if they are not. The paying cryptographer will say the opposite. It can be proved that if the number of disagrees is even, then the master is paying; otherwise, one of the cryptographers is paying. Furthermore -for the case of fair coins, if one of the cryptographers is paying, then neither an external observer nor the other two cryptographers can identify, from their individual information, who exactly is paying. The Dining Cryptographers (DC) will be a running example through the paper. C. Information leakage We recall here the initions of multiplicative leakage proposed in [3], and of additive leakage proposed in [3]. We assume given a noisy channel C = (X,Y,P( )) and a random variable X on X. The a priori vulnerability of the secrets in X is the probability of guessing the right secret, ined as V(X) = max x X P X (x). The rationale behind this inition is that the adversary s best bet is on the secret with highest probability. The a posteriori vulnerability of the secrets in X is the probability of guessing the right secret, after the output has been observed, averaged over the probabilities of the observables. The formal inition is V(X Y) = y Y P Y(y)max x X P(x y). Again, this The notion proposed by Smith in [3] was given in a (equivalent) logarithmic form, and called simply leakage. For uniformity sake we use here the terminology and formulation of [3]. Fig.. Chaum s system for the Dining Cryptographers ([9]) III. SYSTEMS In this section we describe the kind of systems we are dealing with. We start by introducing a variant of probabilistic

5 automata, that we call tagged probabilistic automata. These systems are parallel compositions of purely probabilistic processes, that we call components. They are equipped with a unique identifier, that we call tag, or label, of the component. Note that, because of the restriction that the components are fully deterministic, nondeterminism is generated only from the interleaving of the parallel components. Furthermore, because of the uniqueness of the tags, each transition from a node is associated to a different tag / pair of two tags (one in case only one component makes a step, and two in case of a synchronization step among two components). A. Tagged Probabilistic Automata We now formalize the notion of TPA. Definition. A tagged probabilistic automaton (TPA) is a tuple (Q,L,Σ,ˆq,θ), where Q is a set of states, L is a set of tags, or labels, Σ is a set of actions, ˆq Q is the initial state, θ: Q P(L D(Σ Q)) is a transition function. with the additional requirement that for every q Q and every l L there is at most one µ D(Σ Q) such that (l,µ) θ(q). l,a l,a A path for a TPA is a sequence σ = q 0 q q. In this way, the process with identifier l i induces the system to move from q i to q i performing the action a i, and it does so with probability µ li (a i,q i ), where µ li is the distribution associated to the choice made by the component l i. Finite paths and complete paths are ined in a similar manner. In a TPA, the scheduler s choice is determined by the choice of the tag. We will use enab(q) to denote the tags of the components that are enabled to make a transition. Namely, enab(q) = {l L µ D(Σ Q) : (l,µ) θ(q)} () We assume that the scheduler is forced to select a component among those which are enabled, i.e., that the execution does not stop unless all components are blocked (suspended or terminated). This is in line with the spirit of process algebra, and also with the tradition of Markov Decision Processes, but contrasts with that of the Probabilistic Automata of Lynch and Segala [30]. However, the results in this paper do not depend on this assumption; we could as well allow schedulers which decide to terminate the execution even though there are transitions which are possible from the last state. Definition. A scheduler for a TPA M = (Q,L,Σ,ˆq,θ) is a function ζ: Paths (M) (L { }) such that for all finite paths σ, ζ(σ) enab(last(σ)) if enab(last(σ)) and ζ(σ) = otherwise. In [] we extend our framework by allowing nondeterministic choices in the components, and we use an additional scheduler to handle such internal nondeterminism. B. Components To specify the components we use a sort of probabilistic version of CCS [4], [5]. We assume a set of secret actions Σ S with elementss,s,s,, and a disjoint set of observable actions Σ O with elements a,a,a,. Furthermore we have communication actions, which are also observable, of the form c(x) (receive x on channel c, where x is a formal parameter), or c v (send v on channel c, where v is a value on some domain V ). Sometimes we need only to synchronize without transmitting any value, in which case we will use simply c and c. We denote the set of channel names by C. A component q is specified by the following grammar: Components q ::= 0 termination a.q observable prefix i p i : q i blind choice i p i : s i.q i secret choice if x = v then q else q conditional A process call Observables a ::= c c simple synchronization c(x) c v synchronization and communication The p i, in the blind and secret choices, represents the probability of the i-th branch and must satisfy 0 p i and i p i =. When no confusion arises, we use simply + for a binary choice. The process callais a simple process identifier. For each of them, we assume a corresponding unique process declaration of the form A = q. The idea is that, whenever A is executed, it triggers the execution of q. Note that q can contain A or another process identifier, which means that our language allows (mutual) recursion. We remark once again that each component contains only probabilistic and sequential constructs. In particular, there is no internal parallelism. Hence each component corresponds to a purely probabilistic automaton (apart from the input nondeterminism, which disappears in the inition of a system), as described by the operational semantics below. Components semantics: The operational semantics consists of probabilistic transitions of the form q µ where q Q is a process, and µ D(Σ Q) is a distribution on actions and processes. They are specified by the following rules: PRF PRF INT SECR CALL v V c(x).q δ(c(v),q[v/x]) a.q δ(a,q) if a c(x) i p i : q i i p i δ(τ,q i ) i p i : s i.q i i p i δ(s i,q i ) q µ if A = q A µ

6 CND CND if v = v then q else q δ(τ,q ) v v if v = v then q else q δ(τ,q ) i p i µ i is the distribution µ such that µ(x) = i p iµ i (x). We use δ(x) to represent the delta of Dirac, which assigns probability to x. The silent action, τ, is a special action different from all the observable and the secret actions. q[v/x] stands for the process q in which any occurrence of x has been replaced by v. To shorten the notation, in the examples throughout the paper, we omit writing explicit termination, i.e., we omit the symbol 0 at the end of a term. C. Systems A system consists of n processes (components) in parallel, and restricted at the top-level on the set of channel names C: (C) q q q n. The restriction on C enforces synchronization (and possibly communication) on the channel names belonging to C, in accordance with the CCS spirit. Since C is the set of all channels, all of them are forced to synchronize. This is to eliminate, at the level of systems, the nondeterminism generated by the rule for the receive prefix, PRF. Systems semantics: The semantics of a system gives rise to a TPA, where the states are terms representing systems during their evolution. A transition now is of the form q l µ where µ (D(Σ Q)) and l L is either the identifier of the component which makes the move, or a two-element set of identifiers representing the two partners of a synchronization. The following two rules (INT) and (SYNC/COMM) provide the operational semantics rules in the case of interleaving and synchronisation/communication, respectively. (INT) If a j C q i j p j δ(a j,q ij ) i (C) q q i q n j p j δ(a j,(c) q q ij q n ) where i indicates the tag of the component making the step. (SYNC/COMM) q i δ( c v,q i ) q j δ(c(v),q j ) (C) q q i q n {i,j} δ(τ,(c) q q i q j q n) here {i,j} is the tag indicating that the components making the step are i and j. For simplicity we write i,j instead of {i,j}. The rule for synchronization without communication is similar, the only difference is that we do not have v and (v) in the actions. Note that c can only be an observable action (neither a secret nor τ), by the assumption that channel names can only be observable actions. We note that both interleaving and synchronization rules generate nondeterminism. The only other source of nondeterminism is PRF, the rule for a receive prefix c(x). However the latter is not real nondeterminism: it is introduced in the semantics of the components but it disappears in the semantics of the systems, given that the channel c is restricted at the toplevel. In fact the restriction enforces communication, and when communication takes place, only the branch corresponding to the actual value v transmitted by the corresponding send action is maintained, all the others disappear. Proposition. The operational semantics of a system is a TPA with the following characteristics: (a) Every step q l µ is either a blind choice: µ = i p i δ(τ,q i ), or a secret choice: µ = i p i δ(s i,q i ), or a delta of Dirac: µ = δ(α,q ) with α Σ O or α = τ. (b) If q l µ and q l µ then µ = µ. Example. We now present the components for the Dining Cryptographers using the introduced syntax. They correspond to Figure and to the automata depicted in Figure 3. As announced before, we omit the symbol 0 for explicit termination at the end of each term. The secret actions s i represent the choice of the payer. The operators, represent the sum modulo and the difference modulo, respectively. The test i == n returns (true) if i = n, and 0 otherwise. The set of restricted channel names is C={c 0,0,c 0,,c,,c,,c,0,c,,m 0,m,m }. Master = p : m 0 0.m 0.m 0 + ( p) : i=0 p i : s i. m 0 i == 0.m i ==.m i == Crypt i = m i (pay).c i,i (coin ).c i,i (coin ). out i pay coin coin Coin i = 0.5 : c i,i 0. c i,i : c i,i. c i,i System = (C) Master i=0 Crypt i i=0 Coin i Fig.. Dining Cryptographers CCS The operation pay coin coin in Figure is syntactic sugar, it can be ined using the if-then-else operator. Note that, in this way, if a cryptographer is not paying (pay = 0), then he announces 0 if the two coins are the same (agree) and if they are not (disagree). IV. ADMISSIBLE SCHEDULERS We now introduce the class of admissible schedulers.

7 Master Coin i Crypt i p p p 0:s 0 p :s p :s m 0 0 m 0 m 0 0 m 0 0 c i,i 0 τ c i,i c i,i(0) c i,i (0) m i(0) m i() c i,i() c i,i() c i,i () c i,i () c i,i(0) c i,i (0) m 0 m 0 m 0 m m c i,i 0 c i,i out i(0) out i() Fig. 3. Dining Cryptographers Automata Standard (full-information) schedulers have access to all the information about the system and its components, and in particular the secret choices. Hence, such schedulers can leak secrets by making their decisions depend on the secret choice of the system. This is the case with the Dining Cryptographers protocol of Section II-D: among all possible schedulers for the protocol, there are several that leak the identity of the payer. In fact the scheduler has the freedom to decide the order of the announcements of the cryptographers (interleaving), so a scheduler could choose to let the payer announce lastly. In this way, the attacker learns the identity of the payer simply by looking at the interleaving of the announcements. Figure 4 shows the sequence of screens corresponding to a particular sequence of choices taken by the scheduler 3. Interleaving and communication options are represented by yellow and red buttons, respectively. An arrow between two screens represents the transition from one to the other (produced by the scheduler pressing a button), additionally, the decision taken by the scheduler and corresponding outputs are depicted above each arrow. :τ {,}:τ {,3}:τ,,3 3 A. The screens intuition Let us first describe admissible schedulers informally. As mentioned in the introduction, admissible schedulers can base their decisions only on partial information about the evolution of the system, in particular admissible schedulers cannot base their decisions on information concerned with the internal behavior of components (such as secret choices). We follow the subsequent intuition: admissible schedulers are entities that have access to a screen with buttons, where each button represents one (current) available option. At each point of the execution the scheduler decides the next step among the available options (by pressing the corresponding button). Then (if any) the output of the selected component becomes available to the scheduler and the screen is refreshed with the new available options (the ones corresponding to the system after making the selected step). We impose that the scheduler can base its decisions only on such information, namely: the screens and outputs he has seen up to that point of the execution (and, of course, the decisions he has made). Example. Consider S = ({c,c }) q q q 3, where q = 0.5 : s.c.c +0.5 : s.c.c, q = c.(0.5 : a +0.5 : b ), q 3 = c.(0.5 : a +0.5 : b ). Fig :a Screens intuition 3 Note that this system has exactly the same problem as the DC protocol: a full-information scheduler could reveal the secret by basing the interleaving order (q first or q 3 first) on the secret choice of the componentq. However, the same does not hold anymore for admissible schedulers (the scheduler cannot deduce the secret choice by just looking at the screens and outputs). This is also the case for the DC protocol, i.e., admissible schedulers cannot leak the secret of the protocol. B. The formalization Before formally ining admissible schedulers we need to formalize the ingredients of the screens intuition. The buttons on the screen (available options) are the enabled options given by the function enab (see ()), the decision made 3 The transitions from screens 4 and 5 represent steps each (for simplicity we omit the τ-steps generated by blind choices) 5 3:a

8 by the scheduler is the tag of the selected enabled option, observable actions are obtained by sifting the secret actions to the schedulers by means of the following function: sift(α) = { α if α ΣO {τ}, τ if α Σ S. The partial information of a certain evolution of the system is given by the map t ined as follows. Definition 3. Let ˆq l,α ln,αn q n+ be a finite path of the system, then we ine t as: ( ) t ˆq l,α ln,αn q n+ = (enab(ˆq),l,sift(α )).. (enab(q n ),l n,sift(α n )). Finally, we have all the ingredients needed to ine admissible schedulers. Definition 4 (Admissible schedulers). A scheduler ζ is admissible if for all σ,σ Paths t(σ) = t(σ ) implies ζ(σ) = ζ(σ ). In this way, admissible schedulers are forced to take the same decisions on paths that they cannot tell apart. Note that this is a restriction on the original inition of (fullinformation) schedulers where t is the identity map over finite paths (and consequently the scheduler is free to choose differently). V. INFORMATION-HIDING PROPERTIES IN PRESENCE OF NONDETERMINISM In this section we revise the standard inition of information flow and anonymity in our framework of controlled nondeterminism. We first consider the notion of adversary. We consider three possible notions of adversaries, increasingly more powerful. A. Adversaries External adversaries: Clearly, an adversary should be able, by inition, to see at least the observable actions. For an adversary external to the system S, it is natural to assume that these are also the only actions that he is supposed to see. Therefore, we ine the observation domain, for an external adversary, as the set of the (finite) sequences of observable actions, namely: O e = Σ O. Correspondingly, we need a function that extracts the observables from the executions: t e : Paths (S) O e ined as t e ( q 0 l,α l n,α n qn+ ) = sieve(α ) sieve(α n ) where sieve(α) = { α if α ΣO, ǫ if α Σ S {τ}. Internal adversaries: An internal adversary may be able to see, besides the observables, also the intearleaving and synchronizations of the various components, i.e. which component(s) are active, at each step of the execution. Hence it is natural to ine the observation domain, for an internal adversary, as the sequence of pairs of observable action and tag (i.e. the identifier(s) of the active component(s)), namely: O i = (L (Σ O {τ})). Correspondingly, we need a function that extracts the observables from the executions: ined as t i : Paths (S) O i t i ( q 0 l,α l n,α n qn+ ) =(l,sieve(α )) (l n,sieve(α n )). Note that in this inition we could have equivalently used sift instead than sieve. Adversaries in collusion with the scheduler: Finally, we consider the case in which the adversary is in collusion with the scheduler, or possibly the adversary is the scheduler, like in the Dolev-Yao model. Here the observation domain coincides with the one of the scheduler: O s = (P(L) L (Σ O {τ})). The corresponding function t s : Paths (S) O s is ined as the one of the scheduler, i.e. t s = t. B. Information leakage In Information Flow and Anonymity there is a converging consensus for formalizing the notion of leakage as the difference or the ratio between the a priori uncertainty that the adversary has about the secret, and the a posteriori uncertainty, that is, the residual uncertainty of the adversary once it has seen the outcome of the computation. The uncertainty can be measured in different ways. One popular approach is the information-theoretic one, according to which the system is seen as a noisy channel between the secret inputs and the observable output, and uncertainty corresponds to the Shannon entropy of the system (see preliminaries, section B). In this approach, the leakage is represented by the so-called mutual information, which expresses the correlation between the input and the output. The above approach, however, has been recently criticized by Smith [3], who has argued that Shannon entropy is not suitable to represent the security threats in the typical case in which the adversary is interested in figuring out the the secret in one-try attempt, and he has proposed to use Rényi s min entropy instead, or equivalently, the average probability of succeeding. This leads to interpret the uncertainty in terms of the

9 notion of vulnerability ined in the preliminaries, section C. The corresponding notion of leakage, in the pure probabilistic case, have been investigated in [3] (multiplicative case) and in [3] (additive case). Here we adopt the vulnerability-based approach to ine the notion of leakage in our probabilistic and nondeterministic context. The Shannon-entropy-based approach could be extended to our context as well, because in both cases we only need to specify how to determine the conditional probabilities which constitute the channel matrix, and the marginal probabilities that constitute the input and the output distribution. We will denote by S the random variable associated to the set of secrets S = Σ S, and by O x the random variables associated to the set of observableso x, wherex {e,i,s}. So, O x represents the observation domains for the various kinds of adversaries ined above. Our results require some structural properties for the system: we assume that there is a single component in the system containing a secret choice and this component contains a single secret choice. This hypothesis is general enough to allow expressing protocols like the Dining Cryptographers, Crowds, voting protocols, etc., where the secret is chosen only once. Assumption. A system contains exactly one component with a syntactic occurrence of a secret choice, and such a choice does not occur in the scope of any recursive call. Note that the assumption implies that the choice appears exactly once in the operational semantics of the component. It would be possible to relax the assumption and allow more than one secret choice in a component, as long as there are no observable actions between the secret choices. But for the sake of simplicity in this paper we impose the more restrictive requirement. As a consequence, we have that the operational semantics of systems satisfies the following property: Proposition. If q l µ and q l µ are both secret choices, then l = l and there exist p i s, q i s and q i s such that: µ = i p i δ(s i,q i ) and µ = i p i δ(s i,q i ) i.e., µ and µ differ only for the continuation states. Given a system, each scheduler ζ determines a fully probabilistic automaton, and, as a consequence, the probabilities P ζ (s,o) = P ζ σ σ Paths (S), t x (σ) = o,secr(σ) = s for each secret s S and observable o O x, where x {e,i,s}. Here secr is the map from paths to their secret action. From these we can derive, in standard ways, the marginal probabilities P ζ (s), P ζ (o), and the conditional probabilities P ζ (o s). We have that the probabilities of the secrets are actually independent from the scheduler: Proposition 3. Given a system, for every pair of schedulers ζ and ζ we have that P ζ (s) = P ζ (s), for every secret s. Because of the previous proposition, we can omit ζ in P ζ. Every scheduler leads to a (generally different) noisy channel, whose matrix is determined by the conditional probabilities as follows: Definition 5. Let x {e, i, s}. Given a system and a scheduler ζ, the corresponding channel matrix C x ζ has rows indexed by s S and columns indexed by o O x. The value in (s,o) is given by P ζ (o s) = P ζ(s,o) P ζ (s) = P ζ(s,o) P(s). Given a scheduler ζ, the multiplicative leakage can be ined as L (C x ζ,p S ), while the additive leakage can be ined as L + (C x ζ,p S) where P S is the a priori distribution on the set of secrets (see preliminaries, section C). However, we want a notion of leakage independent from the scheduler, and therefore it is natural to consider the worst case over all possible admissible schedulers. Definition 6 (x-leakage). Let x {e,i,s}. Given a system, the multiplicative leakage is ined as ML (C x ζ,p S ) = max ζ Adm L (C x ζ,p S ), while the additive leakage is ined as ML + (C x ζ,p S ) = max ζ Adm L +(C x ζ,p S ), where Adm is the class of admissible schedulers ined in the previous section. We have that the classes of observables e, i, and s determine an increasing degree of leakage: Proposition 4. Given a system, for the multiplicative leakage we have ML (C e ζ,p S ) ML (C i ζ,p S ) ML (C s ζ,p S ). Similarly for the additive leakage. C. Strong anonymity (revised) We consider now the situation in which the leakage is the minimum for all possible admissible schedules. In the purely probabilistic case, we know that the minimum possible multiplicative leakage is, and the minimum possible additive one is 0. We also know that this is the case for all possible input distributions if and only if the capacity of the channel matrix is0, which corresponds to the case in which the rows of the matrix are all the same. This corresponds to the notion of strong probabilistic anonymity ined in []. In the framework of information flow, it would correspond to probabilistic noninterference. Still in [], the authors considered also the extension of this notion in presence of nondeterminism, and required the condition to hold under all possible schedulers. This is too strong in practice, as we have argued in the introduction: in most cases we can build a scheduler that leaks the secret by changing the interleaving order. We therefore tune this notion by requiring the condition to hold only under the admissible schedulers. Definition 7 (x-strongly anonymous). Let x {e, i, s}. We say that a system isx-strongly-anonymous if for all admissible schedulers ζ we have P ζ (o s ) = P ζ (o s )

10 for all s,s Σ S, and o O x. The following corollary is an immediate consequence of previous proposition. Corollary 8. ) If a system is s-strongly-anonymous, then it is also i- strongly-anonymous. ) If a system is i-strongly-anonymous, then it is also e- strongly-anonymous. The converse of point (), in previous the corollary, does not hold, as shown by the following example: Example 3. Consider the system S = ({c,c }) P Q T where P = (0.5 : s : c )+(0.5 : s : c ) Q = c : o T = c : o. It is easy to check that S is e-strongly anonymous but not i-strongly anonymous, showing that (as expected) internal adversaries can distinguish more than external adversaries. On the contrary, for point () of Corollary 8, also the other direction holds: Proposition 5. A system is s-strongly-anonymous if and only if it is e-strongly-anonymous. VI. ON THE VERIFICATION OF STRONG ANONYMITY: A PROVING TECHNIQUE BASED ON AUTOMORPHISMS As mentioned in the introduction, several problems involving restricted schedulers have been shown undecidable (including computing maximum/minimum probabilities for the case of standard model checking [8], [7]). These results are discouraging in the aim to find algorithms for verifying strong anonymity/non-interference using our notion of admissible schedulers (and most initions based on restricted schedulers). Despite the fact that the problem seems to be undecidable in general, in this section we present a sufficient (but not necessary) anonymity proving technique: we show that the existence of automorphisms between pair of secrets implies strong anonymity. A. The proving technique In practice proving anonymity often happens in the following way. Given a trace in which user A is the culprit, we construct an observationally equivalent trace in which user B is the culprit [0], [6], [3], []. This new trace is typically obtained by switching the behavior of users A and B. We formalize this idea by using the notion of automorphism, cf. e.g. [7]. Definition 9 (Automorphism). Given a TPA (Q,L,Σ,ˆq,θ) we say that a bijection f : Q Q is an automorphism if it satisfies f(ˆq) = ˆq and q l i p i δ(α i,q i ) f(q) l i p i δ(α i,f(q i )). In order to prove anonymity it is enough (but not necessary) to prove that the behaviors of any two culprits can be exchanged without the adversary noticing. We will express this in the Theorem by means of the existence of automorphisms that exchange a given pair of secret s i and s j. Our proving technique requires Assumption. Before presenting the main theorem of this section we need to introduce one last inition. Let S = (C) q q n be a system and M its corresponding TPA. We ine M τ as the automaton obtained after hiding all the secret actions of M. The idea is to replace every occurrence of a secret s in M by the silent action τ. Note that this can be formalized by replacing the secret choice by a blind choice in the corresponding component q i of the system S. We can now state the relation between automorphisms and strong anonymity. Theorem. Let S be a system that satisfies Assumption and M its tagged probabilistic automaton. If for every pair of secrets s i,s j Σ S there exists an automorphism f of M τ such that for any state q we have q l,si M q = f(q) l,sj M f(q ), then S is s-strongly-anonymous. Note that, since s-strong anonymity implies i-strong anonymity and e-strong anonymity, the existence of such an automorphism implies all the notions of strong anonymity presented in this work. Proposition 6. The converse does not hold, i.e. strong anonymity does not imply the existence of automorphisms. We now show that the inition of x-strong-anonymity is independent of the particular distribution over secrets, i.e., if a system is x-strongly-anonymous for a particular distribution over secrets, then it is x-strongly-anonymous for all distributions over secrets. Theorem. Consider a system S = (C) q q i q n. Let q i be the component which contains the secret choice, and assume that it is of the form j p j : s j.q j. Consider now the system S = (C) q q i q n, where q i is identical to q i except for the secret choice, which is replaced by j p j : s j.q j. Then we have that: ) For every s i, s j there is an automorphism on S satisfying the assumption of Theorem if and only if the same holds for S. ) S is x-strongly-anonymous if and only if S is x-stronglyanonymous. Note: ) does not imply ), because in principle neither S not S may have the automorphism, and still one of the two could be strongly anonymous. B. An Application: Dining Cryptographers Now we show how to apply the proving technique presented in this section to the Dining Cryptographers protocol. Concretely, we show that there exists an automorphism f exchanging the behavior of the Crypt 0 and Crypt ; by symmetry, the same holds for the other two combinations.

11 Master p p p 0:s 0 p :s p :s m 0 0 m 0 m 0 m 0 m 0 0 m 0 0 m 0 m m c i,i 0 c i,i 0 Fig. 5. Automorphism between Crypt 0 and Crypt Coin τ c i,i c i,i Consider the automorphisms of Master and Coin indicated in Figure 5. The states that are not explicitly mapped (by a dotted arrow) are mapped to themselves. Also consider the identity automorphism on Crypt i (for i = 0,,) and on Coin i (for i = 0,). It is easy to check that the product of these seven automorphisms is an automorphism for Crypt 0 and Crypt. VII. CONCLUSION AND FUTURE WORK We have ined a class of partial-information schedulers which can only base their decisions on the information they have available. In particular they cannot base their decisions on the internal behavior of the components. We have used admissible schedulers to resolve nondeterminism in a realistic way, and to tune the inition of strong anonymity proposed in []. We have presented a technique to prove the various initions of strong anonymity proposed in the paper. This is particularly interesting considering that many problems related to restricted schedulers have been shown to be undecidable. In particular we have shown how to use the technique to prove that the DC protocol is strongly anonymous when considering admissible schedulers, in contrast to the situation when considering full-information schedulers. We plan to investigate the decidability problem for the various initions of strong anonymity we have proposed. Another interesting direction for future work is to extend well known isomorphism-checking algorithms and tools (see [5] for a survey) to our setting in order to verify automatically strong anonymity (in case an automorphism exists - recall that this is not a necessary condition). Acknowledgement The authors wish to thank Flavio Garcia, Pedro D Argenio, Sergio Giro, and Mariëlle Stoelinga for useful comments on an earlier version of this paper, as well as the anonymous reviewers for thoroughly reading the paper and providing thoughtful recommendations. REFERENCES [] M. S. Alvim, M. E. Andrés, C. Palamidessi, and P. van Rossum. Safe Equivalences for Security Properties. In Proc. of TCS, IFIP AICT, 00. [] M. Bhargava and C. Palamidessi. Probabilistic anonymity. In Proc. of CONCUR, volume 3653 of LNCS, pages Springer, 005. [3] C. Braun, K. Chatzikokolakis, and C. Palamidessi. Quantitative notions of leakage for one-try attacks. In Proc. of MFPS, ENTCS 49, 009. [4] R. Canetti, L. Cheung, D. Kaynar, M. Liskov, N. Lynch, O. Pereira, and R. Segala. Task-structured probabilistic i/o automata. In Proc. of WODES, 006. [5] R. Canetti, L. Cheung, D. K. Kaynar, M. Liskov, N. A. Lynch, O. Pereira, and R. Segala. Time-bounded task-pioas: A framework for analyzing security protocols. In Proc. of DISC, LNCS 467, pages 38 53, 006. [6] K. Chatzikokolakis, G. Norman, and D. Parker. Bisimulation for demonic schedulers. In Proc. of FOSSACS, LNCS 5504, 009. [7] K. Chatzikokolakis and C. Palamidessi. Making random choices invisible to the scheduler. In Proc. of CONCUR, LNCS 4703, 007. [8] K. Chatzikokolakis, C. Palamidessi, and P. Panangaden. Anonymity protocols as noisy channels. Inf. and Comp., 06( 4):378 40, 008. [9] D. Chaum. The dining cryptographers problem: Unconditional sender and recipient untraceability. Journal of Cryptology, :65 75, 988. [0] D. Clark, S. Hunt, and P. Malacaria. Quantified interference for a while language. In Proc. of QAPL, ENTCS, pages 49 66, 005. [] I. Clarke, O. Sandberg, B. Wiley, and T. W. Hong. Freenet: A distributed anonymous information storage and retrieval system. In Proc. of DIAU, volume 009 of LNCS, pages Springer, 000. [] M. R. Clarkson, A. C. Myers, and F. B. Schneider. Belief in information flow. J. of Comp. Security, 7(5):655 70, 009. [3] T. M. Cover and J. A. Thomas. Elements of Information Theory. J. Wiley & Sons, Inc., second edition, 006. [4] L. de Alfaro, T. A. Henzinger, and R. Jhala. Compositional methods for probabilistic systems. In Proc. of CONCUR, LNCS 54, 00. [5] P. Foggia, C. Sansone, and M. Vento. A performance comparison of five algorithms for graph isomorphism. In Proc. of the IAPR TC-5 Ws. on Graph-based Repres. in Pattern Recognition, pages 88 99, 00. [6] F. D. Garcia, I. Hasuo, P. van Rossum, and W. Pieters. Provable anonymity. In Proc. of FMSE, pages ACM, 005. [7] S. Giro. Undecidability results for distributed probabilistic systems. In Proc. of SBMF, volume 590 of LNCS, pages Springer, 009. [8] S. Giro and P. R. D Argenio. Quantitative model checking revisited: Neither decidable nor approximable. In Proc. of FORMATS, 007. [9] S. Giro, P. R. D Argenio, and L. M. F. Fioriti. Partial order reduction for probabilistic systems: A revision for distributed schedulers. In Proc. of CONCUR, volume 570 of LNCS, pages Springer, 009. [0] J. Y. Halpern and K. R. O Neill. Anonymity and information hiding in multiagent systems. J. of Comp. Security, 3(3):483 5, 005. [] I. Hasuo and Y. Kawabe. Probabilistic anonymity via coalgebraic simulations. In Proc. of ESOP, LNCS 44, pages , 007. [] M. Z. Kwiatkowska, G. Norman, and D. Parker. Symmetry reduction for probabilistic model checking. In Proc. of CAV, LNCS 444, 006. [3] S. Mauw, J. Verschuren, and E. de Vink. A formalization of anonymity and onion routing. In Proc. of ESORICS, LNCS 393, 004. [4] R. Milner. Communication and Concurrency. Prentice Hall, 989. [5] R. Milner. Communicating and mobile systems: the π-calculus. CUP, 999. [6] M. K. Reiter and A. D. Rubin. Crowds: anonymity for Web transactions. ACM Trans. on Information and System Security, ():66 9, 998. [7] J. J. Rutten. Universal coalgebra: A theory of systems. Theor. Comp. Sci., 49:3 80, 000. [8] R. Segala. Modeling and Verification of Randomized Distributed Real- Time Systems. PhD thesis, 995. Tech. Rep. MIT/LCS/TR-676. [9] R. Segala and N. Lynch. Probabilistic simulations for probabilistic processes. In Proc. of CONCUR, LNCS 836, 994. [30] R. Segala and N. Lynch. Probabilistic simulations for probabilistic processes. Nordic Journal of Computing, ():50 73, 995. [3] G. Smith. On the foundations of quantitative information flow. In Proc. of FOSSACS, volume 5504 of LNCS, pages Springer, 009. [3] P. Syverson, D. Goldschlag, and M. Reed. Anonymous connections and onion routing. In Proc. of S&P, pages 44 54, 997.